In a case that will have profound implications, the European Court of Human Rights has issued a judgment against Finland in a medical privacy case.
The complainant was a nurse at a Finnish hospital, and also HIV-positive. Word of her condition spread among colleagues, and her contract was not renewed. The hospital’s access controls were not sufficient to prevent colleages accessing her record, and its audit trail was not sufficient to determine who had compromised her privacy. The court’s view was that health care staff who are not involved in the care of a patient must be unable to access that patient’s electronic medical record: “What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place.” (Press coverage here.)
A “practical and effective” protection test in European law will bind engineering, law and policy much more tightly together. And it will have wide consequences. Privacy compaigners, for example, can now argue strongly that the NHS Care Records service is illegal. And what will be the further consequences for the Transformational Government initiative – the “Database State”?
TheBigOptOut.org has a press release out.
“44 .. For the [European Court of Human Rights], what is decisive is that the records system in place in the hospital was clearly not in accordance with the legal requirements contained in section 26 of the Personal Files Act [Finland], a fact that was not given due weight by the domestic courts.”
“47 .. What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here.”
The first of these excerpts from the judgement implies a much lower level of protection than the second. Presumably HMG could use it to suggest that the NHS Care Record service is legal as it is in accordance with UK law. Is there a UK legal opinion on the verdict?
The second excerpt is on the right track from a security viewpoint, which is probably why it’s being picked up. But I’m concerned about the phrase “any possibility”. All records systems will fail to provide such perfect security.
How can any system, much less one which is practical, “exclude any possibility of unauthorised access occurring in the first place”?
I can see that being a design goal, but the language of the court suggests that the test is based on the outcome. If so, why not simply have strict liability for unauthorized access to protected information?
@ Chris Walsh,
“If so, why not simply have strict liability for unauthorized access to protected information?”
I can think of one simple reason, loss of information can and usually does have unforseen consiquences that might not occur for some considerable period of time. Therefore how do you judge what level of restitution is owed to the effected person at any point in time?
@Clive:
By allowing the injured party to decide when to bring a claim?
@ Chris Walsh,
“By allowing the injured party to decide when to bring a claim?”
In most parts of the world there is a time limit on when you can bring a civil (and in some cases criminal) case to court.
In most cases this is seven or less years after the actual event.
As I indicated (neither you nor the person holding data on) you may not be come aware of the loss of confidential data about you for some period of time. And therefor potentialy you lose your right to claim (although this might now be changing/ed in the U.K. for a civil claim for damages arising from a criminal act).
It is an area of the law that needs to be addressed not just in extending / removing the time limit but also in either allowing multiple claims or ongoing claims against the offending party.
This would be an extreamly radical change to the way courts currently work, and it is likley to meet stiff oposition not just from the judges and practitioners but also from potential defendents such as the U.K. Government and it’s various agencies etc.
@Clive
Such limitations do not apply when the case might not reasonably have been brought within the time limit: for example, asbestos cases. Another example is bank charges where (before the moratorium) plaintiffs were succesfully arguing that they had been mislead by the banks and hence the six year rule did not apply.